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^ I Abstract 

The MySQL challenge-and-response authentication protocol is proved 
insecure. We show how can an eavesdropper impersonate a vahd user 
after witnessing only a few executions of this protocol. The algorithm 
' of the underlying attack is presented. Finally we comment about im- 

. plementations and statistical results. 

O 

1 Introduction 

The use of computer-based user authentication has become a cryptographic 
tool widely used in these days. Every remote connection (SSH, SSL, et cetera) 
^ ! is initiated with a user authentication. This also holds true for remote ac- 

^ I cess databases as the MySQL Database Engine. Computer-based user 

O I authentication amounts to one of different process by which an entity, the 

^ • user, is able to authenticate himself by way of a cryptographic protocol to 

another entity, often a server, in such a way that no other person — than the 
user — can do this. Different standards exist for user authentication such as 
rN I zero-knowledge cryptography (e.g., Fiat-Shamir [3], Guillon-Quisquater [B] 

I or Schnorr [9l|T0] identification protocols), or challenge-and-response proto- 

cols (e.g., see Kerberos [7], the Secure Shell authentication protocols [5J see 
also [13]). 

MySQL Database Engine ([2]) is a world known open source database 
engine enabling remote access through secured channels. This package is 
widely used in many applications such as world wide web portals and intranet 
services and has become a standard in its category. 

The MySQL scenario is constituted by a server, which centralizes all 
the information in a database to which validated users, called clients, have 
access by logging on the server through an authentication procedure. When 
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a client authenticates himself to the server, he can then start a session and 
succeedingly obtain any information from the database in the server. This 
information then, travels through information channels encrypted with a key 
negotiated between the client and server, and can thus, only be read by 
this client. Different parameters as to how this is done can and are selected 
by server administrators. However, all this possible configurations have in 
common the same authentication procedure. 

The authentication protocol is designed by the MySQL team with a 
twofold purpose, to prevent the flow of plaintext passwords over the net- 
work, and the storage of them in plaintext format on the server's and user's 
respective terminals. For these purposes, a challenge-response mechanism 
for authentication is chosen together with a hash function. There is no men- 
tion of this authentication mechanism in the literature as it was designed by 
the MySQL development team and never published. The authentication pro- 
cedure we describe here is extracted from the source cod^ implemented on 
every version of MySQL. Slight variations are to be found between versions 
prior to 3.20, and versions after 3.21. 

Regrettably, this authentication mechanism is not cryptographically strong. 
Firstly we shall see that the second objective is not met, since the only 
value needed to authenticate a user is stored both in his machine as in the 
server. But moreover, we shall see that, each time a user underpasses a 
challenge-and-response execution, information allowing an attacker to re- 
cover this user's password is leaked. 

In view of these vulnerabilities which we describe in Section [2] we designed 
an attack — described in Subsection [3] — which permits an eavesdropper to 
authenticate to the database engine impersonating the witnessed valid user 
after only witnessing a few successful authentications of this user. 

We shall prove that all the contents of a MySQL database can be obtained 
by sniffing a few client authentications. In fact, our algorithmic construct 
works in such a way that, for every time a client authenticates himself to 
the server he narrows the key search space almost in an exponential manner. 
That is, this is done in such a way that starting with a brute-force key 
search space of 2^^, we are reduced to a search space of 300 after only 10 
authentications! 

Previous vulnerabilities in the MySQL Database Engine where dis- 
covered in the Bugtraq advisories [8], [12] and [1]. An advisory authored 
by the subscribers which briefly describes this attack appeared as a Bugtraq 
Advisory in pQ. 

^available at http : / / www . mysql . com 
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2 Technical Description 



2.1 The challenge/response mechanism 

The authentication protocol of MySQL Database Engine is of the challenge- 
and-response type, the underlying idea behind this construction is that 
no passwords are sent between client and server through the connection. 
The challenge- response mechanism of MySQL does the following (From 
mysql-3 . 22 . 32/sql/password . c). MySQL provides users with two primi- 
tives used for the authentication protocol: 

• a hash function, and 

• a (supposedly) one-way function; 

both of their own design. The protocol goes as follows. On connection, when 
a user wants to log in, a random string is generated by the server and sent to 
the client — this is the challenge. The client, using as input the hash value 
of the random string he has received and the hash value of his password, 
calculates a new string using the one-way function — the response — which 
is sent to the server. 

This checksum string is sent to the server, where it is compared with a 
string generated from the stored hash_value of the password and the random 
string. The password is saved (in user . password) by using the PASSWORD ( ) 
function in mysql. If the server calculates the same string as the response, 
the user is authenticated. 

2.2 Problem Description 

The hash function provided by MySQL outputs eight-bytes strings, this 
makes 2^^ possibilities. Whereas the one-way function outputs eight-bytes 
strings, but with only 2*^^ possibilities, having a fixed input size of 8 bytes. 
From this we deduce that more than one hashed password produces the same 
(expected) response for a given challenge. That is, we shall show that for a 
given challenge, not only the original password gives the correct response, but 
a much larger collection of values — standing for different hashed passwords — 
also do (see Section H]). We wish to remark that only the one-way function 
shall be analyzed and proved insecure, whereas the hash function shall not 
be analyzed. 

We also point out that the authentication mechanism of MySQL does 
not require the password for a successful authentication, but the password's 
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hash value. Hence, to impersonate a user only the hash value of this user's 
password is needed, so that the hash function is of no interest for this account. 

To validate our claim, we explain why the hash value of the password can 
be efficiently calculated using only a few executions of the challenge-and- 
response mechanism for the same user. More explicitly, in the forth-coming 
section we exploit this weakness, and deduce an attack much more efficient 
than brute-force attack can be carried out in only a few hours on a personal 
computer (see Section H]). Explicitly, after gaining a positive number of pairs 
of challenge and response, an eavesdropper is able to efficiently calculate 
the set of values, standing for hashed passwords, that pass the intercepted 
challenge and response pairs. 

To do this, firstly we describe how does the MySQL one-way function 
work and proceed to analyze the scheme's security, and then describe the 
attack we devised. The actual algorithm for making this calculations will 
be described in the Section [31 The algorithm we describe was implemented 
in Squeak Smalltalk (see [11]) by co-authors Gerardo Richarte and Carlos 
Sarraute. All the empirical results herein provided are derived from that 
implementation and the figures 1, 2 and 3 (in subsections [T] and [3]) are cut- 
and-pasted black and white screen images of this implementation. 

Let n := 2'^'^ — 1 (here n is the max_value used in randominit( ) and 
old_randoninit ( ) respectively). Fix a user U. And initiate a challenge 
and response. That is, suppose the server has sent a challenge to the user U. 
The hash value of this user's password is 8 bytes long. Denote by pi the first 
(leftmost) 4 bytes of this hash value and by p2 the last 4 bytes (rightmost). 
Likewise, let ci denote the first 4 bytes of the challenge's hash value and C2 
the last 4. We describe how to calculate the output of the one-way function 
and how is this une-way function used. 

1. calculate the values si := pi © ci and S2 := P2 © C2 (here © denotes the 
bitwise exclusive or (X-or) function, and s\ and S2 are the input to the 
one-way function), 

2. calculate recursively for 1 < i < 8: 

51 = Si + 3 ■ S2 modulo {n) 

52 = Si + S2 + 33 modulo (n) 



n 

(here [xj := max{A; G Z : A; < x} is the fioor function) 
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3. calculate form the preceding values 

si = si + 3 • S2 modulo (n) 



S2 — si + S2 + 33 modulo (n) 
31 -si 



Wg = 



n 



4. output the checksum value 

W ^ (J^Wi^Wq) II II {w7®Wq) II {wg^Wg)^ 

It is this checksum w G {0, 1}^^ that is sent, by U, to the server. The 
server, that has in store the hash value of Ws password, recalculates the 
checksum by this same process and succinctly verifies the authenticity of the 
value it has received. However it is a small collection of these checksums 
that allows any attacker to obtain pi and p2 (the hash value of the user's 
password) and hence, enables the attacker to impersonate any user with 
only the information that travels on the wire between server and client (the 
user U). Actually, at each step of the algorithm a set of values (pi,P2) is 
calculated such that. 

The reason why the process of producing the checksum out of the hash 
values of both the password and the challenge, is insecure is that this process 
can be efficiently reversed due to its rich arithmetic properties. More specif- 
ically, consider the one-way function described above as a mapping / that 
takes as input the two values X and Y and produces the checksum value 
f{X, Y) — w (e.g., in our case X :— pi® ci and Y :— p2® C2). Then we can 
efficiently calculate all of the values X', Y' which map to the same checksum 
value than X, F , i.e. if f{X,Y) = w, then we calculate the set of all the 
values X', Y' such that /(X', F') = w. This set is of negligible size in com- 
parison to the 2^ points set of all the possible passwords' hashes in which 
it is contained. Furthermore, given a collection of challenge and response 
pairs made between the same user and the server, it is possible to efficiently 
calculate the set of all (hash values of) passwords passing the given tests. 



3 The Algorithm For the Attack 

We now give a brief description of the attack we propose. This description 
shall enable readers to verify our assertion that the MySQL authentication 
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scheme leaks information. This attack has been implemented on Squeak 
Smalltalk and is now perfectly running. In what follows we shall depict the 
procedures that constitute our attack. Since the attack is of a geometric 
nature, we will be able to illustrate these procedures with screen snapshots 
of the Squeak implementations. 

The attack we designed is mainly divided into three stages. In these stages 
we respectively use one of our three algorithmic tools in various opportunities. 



Procedure 1 1 is an algorithmic process which has as input a checksum w, and outputs 
a set of convex polygons V = {P} such that 

— each P is defined by its vertices, 

- f'-^iiw}) = Upe-p-^' ^-S- the point (pi ©Ci,p2 ©£2) of belongs 
to a polygon P in V, 

— ij^V = 36 or 48 (see Remark [T] on the next subsection), and 

- n P) ~ (unproven estimate). 



Procedure 2 | An input is a pair of tuples (c, P), {c',V') and an integer k, 1 < k < 
32, where c and c' are different pairs of challenges, with respective 
responses w and w' such that f~^{w) = U-pP and f~^{w') = U-p'P', 
and such that V and V are compliant with the four conditions stated 
above. The output is a collection of polygons V consisting of all the 
polygons P = [J{P Q) , the union taken over all the squares Q of 
side 2^^"^^ and vertices with entries in {z ■ 2^^ : < z < 2^^"^^}, and all 
the polygons P & V in V for which there exists a. P' E V such that 

(P © c) n (P' © c') ^ 0. 



Procedure 3 Given a set of integer points Z and a collection of pairs (c*-^-*, w^^^), . . . , 
iy(*)) as input (n E Z,n > 2), this procedure outputs a new col- 
lection of points Z' such that every point z in Z' passes the n given 
challenges (i.e. f{z,c^^^) = w^''^ for all z G Z'). 

The rest of this section goes as follows, the three first forth-coming sub- 
sections correspond to the three algorithmic tools we just described. On the 
fourth and last subsection we explain how are these tools used in the attack 
and prove the attack effective. 

3.1 From brute— force to brute forge 

In the preceding paragraphs of this section we have stated the input/output of 
Procedure 1. This subsection is devoted to this procedure we call algorithmic 
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tool number 1, which we follow to describe. As explained, Procedure 1, 
from a pair of challenge and response (c, w) produces a set of polygons V 
containing all the hashed passwords passing the same challenge, i.e. V is such 
that f~^{w) = Up^-piP © c). We explain why are the elements of V convex 
polygons and why is it the case that this is a natural way of representing this 
particular set of points (i.e. f~^{w)), subsequently we describe the algorithm 
underlying these procedure. 

For any (hashed) password p, and a (hashed) challenge c, the correspond- 
ing response is calculated by the process described in the previous section. To 
invert this process, we inspect the one-way function / more closely. Suppose 
with out loss of generality that Wi, . . . ,Ws) are known (e.g. Wg is known). 
Later in this section, in Remark [21 we justify this supposition by explaining 
how is this problem tackled. 

From the definition of the wi, . . .wg it follows that 64 < Wi < 96 (and 
for wg it is < < 32). For the input X = pi © ci and F = p2 © C2, 
it holds that the entries Wi & Z verify a certain formula of the form Wi = 

((ttj ■ X + /3j ■ y + 7j ■ 33) mod (^)) J + 64 for some integers a^, f3i, 7j G Z, 
where the a^, 7^ can be calculated for once and for all. For example. 



Wi 



31 



n 



(3X + Y mod (n)) 



+ 64, 



W2 



31 

— (12X + 5F + 33 mod (n)) 
n 



+ 64, 



Wg 



Wg 



31 

. n 

31 

. n 



(322863X + 1402061" + 33 ■ 42450 mod (n)) 



+ 64, 



(1389207X + 603275y + 33 ■ 182656 mod (n)) 



Notice that for the floor operation it holds that [a;J < a; < [a;J + 1. Then 
from the value of Wi, we deduce that the inequation 



Tl Ti 

— {wi - 64) < 3X + y mod (n) < —{{wi - 64) + 1) 

o -L o -L 



holds, i.e. there exists an integer G Z such that 



31 



64) + 5in < 



3X + F < T^((M;i-63)+5in. Furthermore, form the fact that < X, F < 2 



32 



we 



deduce that < 5i < - 1 = 16. 
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Figure 1: A polygon 



For W2, ■ ■ ■ jWg similar equations hold. By a similar process to the one we 
just applied to the defining equation of wi, we deduce that 

— (w, - 64) + 6in<a^-X + + 7^ ■ 33 < —{{wi - 63) + 6,n (1) 

where here the bounds for the Si can be analogously deduced, i.e., it follows 

232(a^+/3i)+337i 



that 6i < 

In this way, an attacker, for each choice of ^i, . . . , is able to construct 
the convex polygon 

Ps ■■= n {(^' 2/) e • ^(^1 - 64) + 6in<a,-X + (5,Y + 7^ ■ 33 < 

l<i<8 

Tl '\ 

<^(K-63) + 5,n|, 

seen in Picture [TJ We thus see that for every 5 = . . . , (Jg), for every integer 
point (a, h) in P5 fl 1? it holds that /(c, (a, h)) = w. In fact it is easy to see 
that the other inclusion also holds, i.e., for every pair (a, b) which is mapped 
via / to the checksum s there exist a tuple 6 = {61, ... ,6s) such that (a, b) 
belongs to Ps. 

We shall see that many choices of the S will define the same polygon. 
Furthermore, we prove that V := U P (where the union is taken over all the 
possible tuples 5i, . . . , G Z), is a collection of 36 or 48 polygons in the next 
remark. 
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Remark 1 Let V be defined as above. Then, each P ^ V is a traslation of 
the other, i.e. for every P,P'eV there exists v such that P = P' + v . 
Furthermore, it holds that jj=-V is equal to either "iQ or 48. 

Proof: The traslation statement is straight-forward . What the procedure 
we described does, is constructing polygons by intersecting the convex poly- 
gons defined by equations ([T]) and the square [0,2^^] x [0,2^^]. The different 
polygons that appear in V are generated by the different choices of ki in the 
equations ([T]) and nothing else, this choices of ki shift the different defining 
lines kiU upwards. The tangents of the different lines (which define the poly- 
gons) respective to wi, . . . are for every choice of challenge and password 
3,2.4,2.3181,2.3052,2.3031,2.3028,2.3027,2.3027 all rounded to the fourth 
decimal. 

To prove the second statement, let P be a polygon in V with vertices 
(ai, . . . , (ttf, 6t) it is easy to see that the polygon with vertices (ai + 
i%,bi + jn), . . . , (a„ + 6„ + jn) can be produced by a different choice 
of (5, for i,i G Z. Before proving this, we notice that we are interested 
only in those polygons which have a nonempty intersection with the square 
[0, 2^2 - 1] X [0, 2^2 - 1] where the password is located. Since [2^71 J = 12 
and [2^2 /nj = 4, we deduce that #P ~ 48. □ 

However, for our computational aims, we notice that the 5i can be more 
accurately bounded by the formula re-studying the calculation process for the 
Wi. The best bound for 5i is the already calculated 5i < 16. For 1 < i < 8 we 
write sf* := 3s^* + $2 mod (n), and := + $2 + 33 mod (n) 

(where sf^ = X, sf''' = Y). For 1 < i < 8, denote by and the integers 
such that = 3s^l~^^ + S2~^^ — ^iU, and = + Sg""*"^ + 33 — e-n. 
Since < s^'^Sg^ < n, it follows that < Cj < 3 and < < 2 and 
4'^ = 4'^ + sf^ + 33 - e[n. 

Fix a user U with hashed password p. Denote by -F(p, c) the function 
that from a (hashed) password P and a (hashed) challenge c produces the 
checksum w as explained in the previous section. Suppose that a pair (c, w) 
of challenge and response corresponding to user U is known (e.g., to the 
attacker). Denote, as in the previous section, the (32) more significant bits 
of p and c by pi and Ci, and the (32) least significant bits by p2, C2 respectively. 

Remark 2 By applying the algorithmic procedure just described to w[k] = 
{wiQ)k II ... \\wsQ)k) forO < k < 32 only one value ofk produces a nonempty 
output, hence that value of k is precisely wg, i.e. we have wg = k. 

We will not prove this remark, since this result is totally dependent on the 
specific parameters used for this authentication scheme. However, we do 
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Figure 2: The polygons collection V 



give a mild justification. Suppose that we have made our choice for a wg 
candidate, say wg, and that it is a wrong choice. Suppose furthermore that 
the 5i are already chosen. Then the polygon V defined by this choices is 

^= n [{x,y) ■.^{wi®w^®WQ-U) + 5in< 

l<i<8 

cti • X + Ay + 7i • 33 < 

— ((Wi ® Wg ® Wg - 63) + 5in |. 

Notice that each of the sets defined between brackets appearing in the 
above intersection is a polygon, furthermore the two underlying lines at each 
intersection ^{wi ® Wg ® Wg — 64) + SiU — ai- X + /3iY + 7j • 33 and ^{wi ® 
Wg ® Wq — 63) + SiU — ai • X + ^jY + 7, • 33 are at a vertical distance of an 
integer factor of When the equations come out incorrectly the polygon 
they define is shifted vertically (upwards or downwards) a distance which is 
a factor of This last fact, together with the fact explained in the previous 
remark that the tangents of the lines of each of these polygons are quite 
similar implies our assertion. 

In Figure 2 we can see an image of the result of Procedure 1, four rows 
of twelve polygons each. As we explained, this is a typical behavior. 
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Figure 3: The second and third steps 
3.2 Wash out of invalid passwords 

Let be given a collection {c,w,V), {c',w',V') and an integer A;, 1 < /c < 32, 
such that (c, w) and (c', w') are two pairs of challenge and response, and that 
V and V are the set of polygons respective to the given pairs of challenge 
and response, and as produced with the Procedure 1. 

To describe the output we define some notation. For every <i,j < 2*^, 

let 

g := [i • 2^2-^ {i + ly-''] X [j ■ 2''-\ {j + 1) • 2^2-^=] . 

And let Q denote the set of all these squares. Then, let Vi denote the set 
Vi := U (P n Q), where the union is taken over all Q G Q, P G V. Then the 
output is the subset of Vi of all Pi e Vi for which there exists a P' e P' 
such that 

(P © c) n (P' © c') ^ 0, 

this means that there exists a point (ai © c, 6i © c) = (a' © c', 6' © c') for some 
(a, 6) e P and (a', 6') G P' (so that /(a, b) =j and /(a', 6') = s'). 
_ The output is a collection of polygons V consisting of all the polygons 
P — \J (P n Q), the union taken over all the squares Q of side 2^'^~^ and 
vertices with entries in {i ■ 2^^ : < i < 2^^"^^}, and all the polygons P G P 
in V for which there exists a P' G P' such that (P © c) n (P' © c') ^ 0. In 
Figure 2, we see two steps of this procedure over the chosen example. 

Notice that we do not calculate Upgp^p/gp/PnP', this would be inefficient, 
e.g. it would make the size of the output grow and would not make much of 
a difference in the point size of the output. 
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3.3 Rising of passwords 

Procedure 3 is straight forward and needs not much explanation. Given a 
set of points and a pair of challenge and response, ones simply browses over 
every point of this set calculating the checksum corresponding to this point 
and the given challenge and adds it to the output set only if it produces the 
given response. 

3.4 The complete algorithmic attack 

A complete attack to a valid user, who has produced the pairs of challenge 
and response {ci,Wi), . . . , (q, Wf) is done by repeated application of the pro- 
cedures we have just described. To start with, we select the number k < t 
of these challenge and response pairs to which we are going to apply to 
Procedure 1. That is for the pairs (ci, toi ),..., (cfc, Wk) we apply the Proce- 
dure land output collections Vi, . . . ,Vk- Typically — on our examples — the 
number k is taken to be 5 or less. 

On a second step, after selecting a second integer 1 < /c' < 32 , we apply 
Procedure 2 recursively to the triplets {c^^\ w^^\V^^'' ),..., {d'^\w^''\V^'^^); 
that is first we apply Procedure 2 to (c^^H, w^^), and (c^^), w^^), 7?(2)) 
using cubes of size 2^^^^ , then we apply Procedure 2 to the previous result 
and (c^^\w^^\V^^^), and continue this recursive application until the A;-th 
tuple is reached. After doing this (the k applications of this procedure) we 
get a set of polygons V having a small number of integer points (compared 
to the brute-force value 2^^). 

Finally, we recursively apply Procedure 3 to the set V and each of the 
remaining challenge and response pairs {cS''^^\w^''^^^), . . . , {c'^^\ w^''^^) as fol- 
lows. First we extract every integer point of V and store them as points. 
Then we use Procedure 3 with the resulting set as input and (c*^''+^\ w*^'^"'"^)). 
After we have finished with (c^''~^^\ w^'''^^^) , for j > 1, we continue by apply- 
ing Procedure 3 to the resulting set and (c^'^+-'+^\ w^*^''"-'''"-'^^). We end when 
we {c^^\w^^^) is reached and there are no more challenge and response pairs 
left, or before if the set of remaining points has only one point left. In the 
latter case we have found the password's hash. Else, we get as output the set 
of passwords' hashes that pass every one of the challenge and response pairs 
we have as input. It should be remarked, and shall be further ly emphasized 
by empiric data in the next section, that in the case of the output being a 
set of more than one point, all of these points are not just random points in 
[0, 2^^] X [0, 2^^], but have high probability of passing an additional test. 
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4 Statistics and Conclusions 



We coded the algorithm of the preceding section in Squeak Smalltalk, and 
analyzed the results. In the examples tested, about 300 possible passwords 
were left with the use of only 10 pairs of challenge and response. Notice that 
in a plain brut^force attack about 2^'' - 300 = 18, 446, 744, 073, 709, 551, 316 
would remain as possible passwords. It took about 100 pairs of challenge and 
response to cut the 300 points set to a set containing 2 possible passwords 
(i.e., a fake passwords and the password indeed). Finally it took about 300 
pairs of challenge and response to get the password. 

In other examples we used only ten pairs of challenge and response, get- 
ting thus a set of approximately 300 points in each case. Then we randomly 
selected 1000 challenges and made the 1000 tests to every one of the 300 
points we had. The result was that each of the remaining points passed over 
920 of the 1000 tests. That is, the mean (sample-mean) of the probability 
a point (in the set left after applying our algorithm to ten pairs of challenge 
and response) is of 92%. 

We therefore are able to make a variety of attacks depending on the 
amount of pairs of challenge and response we get from the user we want to 
impersonate. The two extremal cases being very few pairs of challenge and 
response from the same user, and a lot of pairs of challenge and response. 
The second attack, that of many pairs of challenge and response captured, 
is straight-forward: apply the algorithm described above until the password 
is found. The first case, that of only a few pairs of challenge and response 
captured, is as well easy to carry: simply apply the algorithm we described 
with all the pairs of challenge and response captured, then use any possible 
password in the set produced by the application of the algorithm for authen- 
ticating yourself as a user (some of these fake passwords will still pass many 
tests!). 

We do not analyze the order of the complexities of our procedures because 
we are working with an input of fixed size. Since every one of the attacks 
we made was much alike in the pcrformancc/computation-timc aspect, we 
describe a specific example of an attack pointing out the computation time 
needed at each step in the attack, and the amount of points left (in the 
2^^ to 1 countdown of possible hashed passwords). In a specific example 
we apphed Procedure 1 to a pair of challenge and response calculating 48 
polygons, each a traslation of the other, of area 2^^, which makes a set of 
area approximately 2^^. The whole procedure application lasted no more 
than half an hour in a Pentium 3 64Mb RAM personal computer. We applied 
Procedure 1 to four other pairs of challenge and response obtaining similar 
results. This constituted the first two hours and a half of the attack. The 
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four applications of Procedure 2 lasted half an hour each, and resulted in 
a collection of 32 polygons of area approximately 2^^ each, i.e. a set of 
size 2^^. Finally we applied Procedure 3 getting the announced 300 possible 
hashed passwords in about six hours and using only 10 pairs of challenge 
and response. The complete attack lasted approximately twelve hours, in 
this case we had available some 300 more challenge and response pairs and 
were able to recover the hashed password in five more minutes. 



Credits: This vulnerabilities were found and researched by Agustin Azubel, 
Emiliano Kargieman, Gerardo Richarte, Carlos Sarraute and Ariel Waissbein 
of CORE Security Technologies, Buenos Aires, Argentina. 

A prior notification of these results appeared signed by researchers and 
co-author Ivan Arce as "An advisory on MySQL's login protocol" in Securi- 
tyFocus' Bugtraq newsgroup pQ. 
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